Backing up/restoring a LUKS encrypted partition with clonezilla

I recently wanted to back up my LUKS-encrypted disk. However, clonezilla only offered the ability to clone with dd, rather than the faster partclone tool, which is understandable. It is, however, possible to clone the (decrypted) underlying extfs filesystem. Note: if you make a backup of your decrypted data, it is as bad as if you’ve never encrypted it. Take good care of your backup and, for extra security, destroy it after you have restored it.

The first thing you need to do when you load Clonezilla, is to select “drop to shell” rather than running the normal clonezilla UI. You should now be in a root shell.

Map the device as you normally would (supposing your LUKS partition is /dev/sda5):

cryptsetup luksOpen /dev/sda5 crypt

You should now load some kernel modules:

modprobe dm-mod
vgchange -ay

You should now have /dev/mapper/yourdevice-vg–root or similar. You can use the partclone tool now.

Thank you so very much. You’re awesome. With regards to the security concerns, it all depends on where you’re storing the backup.

If you’re storing them on a different hard drive, you can always compress the backup into an encrypted archive. If you’re worried about it being cracked, you can input a passphrase that’s several hundred characters long and keep a copy of it on a USB stick and in your alreadty encrypted luks partion.

You could also store a copy compress but not encrypted with your LUKS. Won’t help you if your disk crashes or PC gets stolen but useful to have an hand when the OS is fubar and you need to restore it.

Hi Errietta! Thanks for sharing this. I need to clone my whole system (RHEL6 encrypted with LUKS) from a conventional HDD with 500GB to a 256GB SSD. The idea is to save time instead of having to reinstall the whole system and programs after the disk upgrade. I have read some articles on the internet about the process, some with success.. others not. So I am not sure how feasible that is. Would the process above work to clone a whole system, like in my case? Thank you in advance. Greetings from Brazil!!

You really can’t do that easily. The problem you run into has to do with drive geometry. Cloning SSD to SSD works, but spinning disk->SSD becomes very hairy. I’ve read articles where some were claiming they did it, but it’s not worth the effort.

I am using Linux mint. During installation I choose LVM and Encryption. I now have my system exactly how I like it, and would like to make an image backup, in case something goes horribly wrong. My drive is a total 160GB. Used: Roughly 20GB.

If I make a Clonezilla backup, will my image be 160GB, as the whole drive is encrypted? Or will it just be the 20GB of used?

I would prefer to make the smallest backup possible. If clonezilla is not best for this, can I somehow make a ‘decrypted backup’, a just encrypt the final image?

If the source disk had zeros to start (or if source disk is decrypted and mounted and dd is used to copy /dev/zero to a file zeros.txt inside the source disk — till this copy command errors out because it runs out of disk space, then file zeros.txt is deleted and system rebooted using live USB with internal source disk remaining encrypted), and dd is used to clone the encrypted disk to a compressed file, will the compressed file be not much over 20 G? Or does encrypted zeros on the drive not compress well?

Hi, how about piping everything through ccrypt or similar encryption software? That way you’ll never store plaintext data. I just created a clonezilla bootable usb disk and added manually in there a precompiled ccrypt binary.

Of course it’s not the same as backing up the whole encrypted partition. Pros: it will occupy only the used space, and it’s fast (inline encryption, no need to compress or to use temp files). Cons: not the same thing as LUKS, and the level of security of the backup will depend mostly on the password you use for encryption.

Once you are done with the backup you can enter: sudo clonezilla at the command line, then when it comes to asking you what you want to do, ‘savedisk’ ‘restoredisk’ and the like select ‘encrypt-img’ and encrypt your recently decrypted luks backup.

Thank you very much for this tip! I am new to Ubuntu 16.04 and probably missed a central point, because with the “clonezilla-live-20161121-yakkety-amd64.iso” I can’t start the cryptsetup command after I got the sudo permissions – it is just not active. Maybe there is a simple solution for this problem?

Not sure what you mean by “not active.” If you tried to run `cryptsetup` and got a message like `cryptsetup: command not found`, then you must install that package. At the same commandline, try something like `sudo apt-get install cryptsetup`. (And if you also need to work with LVM volumes, try `sudo apt-get install lvm2`)

But what can be done is just use `clonezilla` command to enter ncurses interface instead of using `partclone` and follow the wizard.. works fine. It even has image encryption feature which requires `ecryptfs-utils` though… It’s pretty cool. Just do not forget to do LuksOpen before running clonezilla 😉